[5.10,43/54] wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
Message ID | 20221013175148.379769517@linuxfoundation.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp408155wrs; Thu, 13 Oct 2022 11:03:08 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7Bw4TsqyANCLW1P0jMbA5fPuvU265pdZWel5+KcBrsd5LCADrQkL41qgUChriAIMLM1jNB X-Received: by 2002:a17:90b:4b49:b0:20d:3e36:3c7d with SMTP id mi9-20020a17090b4b4900b0020d3e363c7dmr12935438pjb.52.1665684187733; Thu, 13 Oct 2022 11:03:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665684187; cv=none; d=google.com; s=arc-20160816; b=jRp3PMN7o6InJOjmXpoB+ls3xUNfKgbwwBUag8Uti/xoMT9++fgm2QDOPK1vbWqIGd ds8nSXu3cyTOEwuMbWdpyGeB5EhLfEmzsLJJyFX3jkP51HdM/bUi93yTZCmehDoOkiF3 5f924l4IPZ2K3JgH/lNtYOM8xRIwtBmGi+GJH1vJGGRyxLI1V/Umc81IYdxOYQpiqJcY h8ptKLixbmElj9MmrrBp4wuViIMtO40cOEbrTHg8OcqCAVbvMWepvWbTl3029VjZgLWS Xcsw53f59pxil+Qp2krRjW/kbND7GgCAhURvmOzpEvfp1dqcXMtx1QZWBawKQpKFWInh ZzMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gUTsYa9g+oZX421hC8YoVdHc3l899hA3+uqLzBTe/A4=; b=OONb1aQ7iwhIsUaSUH4hlRGzLfiP96+6rU8OGeNmau2POo1A0R2O0Kq7r9WL30CIku C0LtothtwaG4IG2xbqzdscB88wJ+cHjAKG3DHsdzCpXS/KMak04+e+y1eT4N069TJdQZ 4dg8VDfVZTAeJy60ucIUcIsLh94RcuEiK5wkHS2uwWbtZaX1+8aWhh8x0PrV+UbJjfrH f5Nesxw4ByA6AhBBYV5MQk+lJtkI07qpK+eFsTYluTIRN1q6oYjXtQdPRBdgdnPThwS+ +mOfyrf5LI8jXHnQdiK6S7IqSqKTh1SsiSJutzpdhLg2Eh6toVvn3ZZe/wUMf3hnY6St OMgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=c7NraigC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o5-20020a056a001bc500b0055ffebbba91si37568pfw.112.2022.10.13.11.02.33; Thu, 13 Oct 2022 11:03:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=c7NraigC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230402AbiJMSB4 (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others); Thu, 13 Oct 2022 14:01:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230355AbiJMSBf (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 13 Oct 2022 14:01:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 121DA44CF8; Thu, 13 Oct 2022 11:01:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B42976192E; Thu, 13 Oct 2022 17:56:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AF016C4314D; Thu, 13 Oct 2022 17:56:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683790; bh=ogYEemfj0hCqBP5FiJ/sT1nkQsZaGnWIZS7D7O/DT14=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c7NraigCqQ53b2ffZpFOz5DUqkLWw/+m00DWqFLaPoR8z5Oz15KqEpuhatELvBWTj Nw8oUAznb01PIEOuWGR4Yk+zJ5pASP75/b25uiR20sWcpz9MtXgY1o3KLCO4tK0NDI udJkH6f1QScyh9CaAJ+J6xPKePicxM7Qo4TobvTM= From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Soenke Huster <shuster@seemoo.tu-darmstadt.de>, Kees Cook <keescook@chromium.org>, Johannes Berg <johannes.berg@intel.com> Subject: [PATCH 5.10 43/54] wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() Date: Thu, 13 Oct 2022 19:52:37 +0200 Message-Id: <20221013175148.379769517@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175147.337501757@linuxfoundation.org> References: <20221013175147.337501757@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746596463113944181?= X-GMAIL-MSGID: =?utf-8?q?1746596463113944181?= |
Series |
None
|
|
Commit Message
Greg KH
Oct. 13, 2022, 5:52 p.m. UTC
From: Johannes Berg <johannes.berg@intel.com> commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- net/wireless/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2228,7 +2228,7 @@ cfg80211_update_notlisted_nontrans(struc size_t new_ie_len; struct cfg80211_bss_ies *new_ies; const struct cfg80211_bss_ies *old; - u8 cpy_len; + size_t cpy_len; lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);